Skip to content

vRA Remote Logging

My post on vCAC logging has been quite popular since its release. With VMware’s release of new and updated management products at the end of 2014, some changes to vCAC, now vRA, exist. In order to avoid confusion by attempting to update the older post, I decided it was time for a new post. Also, with the release of the Log Insight Linux agent, it is a good time to show end-to-end remote logging for vRA when leveraging the Log Insight agents.
Unfortunately, vRA still does not support setting a remote syslog destination to forward all vRA logs within the GUI yet. Like last time, I would like to cover where all the log files are located and more importantly how you can forward them to a remote syslog destination like Log Insight.
vRA Product Icon Mac_0

Log Locations

Let me start by laying out all the different components and the log locations:

  • vRA VA + vRCS
    • /var/log/vcac/catalina.out
    • /var/log/vco/app-server/catalina.out
    • /var/log/apache2/access_log
    • /var/log/apache2/error_log
    • /var/log/apache2/ssl_request_log
    • /storage/artifactory/home/logs/artifactory.log
    • /storage/artifactory/home/logs/access.log
    • /storage/artifactory/home/logs/request.log
    • /storage/artifactory/home/logs/import.export.log
  • vRA Windows
    • C:\Program Files (x86)\VMware\vCAC\Agents\<PLUGIN>\logs\<FILE>
      • <PLUGIN> examples: vSphereAgent, nsx, VC50, VC55Agent, VDIAgent, vCNS
      • <FILE> examples: vSphereAgent, EpiPowerShellAgent, VdiPowerShellAgent
      • Note: <PLUGIN> is based on the name of the agent given during installation
    • C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\<DEM>\Logs\*_All
      • Note: <DEM> is based on the name of the DEM given during installation (defaults to ‘DEM’)
    • C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\<DEO>\Logs\*_All
      • Note: <DEO> is based on the name of the DEO given during installation (defaults to ‘DEO’)
    • C:\Program Files (x86)\VMware\vCAC\Server\Logs\All
    • C:\Program Files (x86)\VMware\vCAC\Server\ConfigTool\Log\vCACConfiguration-<date>
    • C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Logs\<nothing today>
    • C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Web\Logs\Repository
    • C:\Program Files (x86)\VMware\vCAC\Server\Website\Logs\Web_Admin_All
    • C:\Program Files (x86)\VMware\vCAC\Web API\Logs\<nothing today>
  • SSO
    • /var/log/vmware/sso/catalina.out
    • /var/log/vmware/sso/ssoAdminServer.log
    • /var/log/vmware/sso/vmware-identity-sts-perf.log
    • /var/log/vmware/sso/vmware-identity-sts.log
    • /var/log/vmware/sso/vmware-sts-idmd-perf.log
    • /var/log/vmware/sso/vmware-sts-idmd.err
    • /var/log/vmware/sso/vmware-sts-idmd.log
  • VRO
    • /var/log/vco/app-server/catalina.out
  • APPD
    • /home/darwin/tcserver/darwin/logs/catalina.out
  • VRB
    • /usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/catalina.out
    • /usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/auditFile.log
    • /usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm-external-api.log
    • /usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm-reflib-update.log
    • /usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm-vc-dc.log
    • /usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm.log
  • VCS
    • /var/log/vmware/vpx/vpxd.log
    • /var/log/vmware/vpx/vws.log
    • /var/log/vmware/vpx/vmware-vpxd.log
    • /var/log/vmware/vpx/inventoryservice/ds.log
    • /var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log
    • /var/log/vmware/sso/ssoAdminServer.log
    • /var/log/vmware/sso/vmware-identity-sts.log
    • /var/log/vmware/sso/vmware-sts-idmd-perf.log
    • /var/log/vmware/sso/vmware-sts-idmd.log

Wow, that is a lot of log files! In order to forward these log files to a remote syslog destination like Log Insight, you need to configure a syslog agent on each device. In order to save everyone a lot of time, I have put together the configurations necessary based on the syslog agent installed in the VA for each vCAC component. Enjoy!

Log Insight Server-Side Configuration

Before I break down the configuration for each component of vRA and its dependencies, it is worth mentioning that if you are running Log Insight and install the Log Insight Windows/Linux agent on all vRA components and other VMware dependencies, then you can more easily configure remote logging centrally on the Log Insight server-side under Administration > Agents and the agents will automatically collect the logs applicable to them (i.e. they will ignore any configuration that is not applicable). This makes agent configuration much easier than the manual steps provided in the sections that follow.

Important: In order to push server-side configuration to Log Insight agents, you must use the ingestion API with the agent. If you use the syslog protocol with the agents then the below configuration will not work.

Unfortunately, the Windows part of vRA for remote log collection is a little tricky (this is true whether you use this central approach or the more manual approach in the following sections). Below you will find two configuration sections, the first is static configuration information that can be copied and pasted as-is. The second is dynamic configuration, which depends on what installed and what you named it. For the second configuration section, you will need to replace anything that looks like <THIS>.

Important: For the Windows components, you must use the Log Insight agent and the ingestion API if you want the vRA content pack for Log Insight to work properly. If you do not use the Log Insight agent or if you do not use the ingestion API with the Log Insight agent then some of the queries in the vRA content pack will return no results.

  • Static – copy and paste the below information as-is. While some of it may not apply to your environment the agent will properly monitor what is applicable. Do not forgot to see the Dynamic bullet below this section as it needs to be configured as well!

    Important: The use of the ingestion API with the Log Insight agent is highly recommended for the Linux components and required for the Windows component. Also, the use of asterisk (*) in the include directory is correct and should not be changed. The asterisk is a glob and means one or more characters. Using this over the entire filename is recommended as the filename may change over team (e.g. rebranding from vCloud to vRealize).

;;; vRA
[filelog|vra]
directory=/var/log/vmware/vcac
event_marker=^\d
tags={"vmw_product":"vra","vmw_product_component":"cafe"}
[filelog|apache]
directory=/var/log/apache2
tags={"asf_product":"http"}
;;; vRCS
[filelog|vrcs]
directory=/storage/artifactory/home/logs
event_marker=^\d
tags={"vmw_product":"vrcs","vmw_product_component":"jfrog"}
;;; vCenter SSO VCSA
[filelog|vmw-sso]
directory=/var/log/vmware/sso
exclude=vmware-*
event_marker=^(\[\d{4}-\d{2}-\d{2}|\d{2}-\w+-\d{4})
tags={"vmw_product":"sso"}
[filelog|vmw-sso-sts-idmd-perf]
directory=/var/log/vmware/sso
include=vmware-sts-idmd-perf*
event_marker=^\d{4}-\d{2}-\d{2}\s\S+\s\w+\s+\w+
tags={"vmw_product":"sso"}
[filelog|vmw-sso-sts-perf]
directory=/var/log/vmware/sso
include=vmware-identity-sts-perf*
event_marker=^\[\d{4}-\d{2}-\d{2}\s\S+\s\S+\s\S+\]\s+\w+
tags={"vmw_product":"sso"}
[filelog|vmw-sso-sts-other]
directory=/var/log/vmware/sso
include=vmware-sts-idmd.*;vmware-identity-sts.*
event_marker=^\[\d{4}-\d{2}-\d{2}\s\S+\s\S+\s\S+
tags={"vmw_product":"sso"}
;;; vRA APPD
[filelog|vra-appd]
directory=/home/darwin/tcserver/darwin/logs
event_marker=^\w+\s\d{2}\s\d{4}\s\S+\s\w+\s+[\S+]
tags={"vmw_product":"vra","vmw_product_component":"appd"}
;;; vRB
[filelog|vra-vrb-server]
directory=/var/log/itbm-server
event_marker=^\d
tags={"vmw_product":"vrb","vmw_product_component":"server"}
[filelog|vra-vrb-data-collector]
directory=/var/log/itbm-data-collector
event_marker=^\d
tags={"vmw_product":"vrb","vmw_product_component":"data-collector"}
;;; vCenter Server VCSA
[filelog|vmw-vc-vpx]
directory=/var/log/vmware/vpx
include=vpxd.log;vws.log;vmware-vpxd.log
event_marker=^(\[)?\d{4}-\d{2}-\d{2}(T| )\d{2}:\d{2}:\d{2}
tags={"vmw_product":"vcenter"}
[filelog|vmw-vc-vpx-ds]
directory=/var/log/vmware/vpx/inventoryservice
include=ds.log
event_marker=^(\[)?\d{4}-\d{2}-\d{2}(T| )\d{2}:\d{2}:\d{2}
tags={"vmw_product":"vcenter"}
[filelog|vmw-vc-client]
directory=/var/log/vmware/vsphere-client/logs
include=vsphere_client_virgo.log
event_marker=^(\[)?\d{4}-\d{2}-\d{2}(T| )\d{2}:\d{2}:\d{2}
tags={"vmw_product":"vcenter"}
[filelog|vmw-vc-client-wrapper]
directory=/var/log/vmware/vsphere-client/Logs
include=wrapper.log
tags={"vmw_product":"vcenter"}
;;; vCenter SSO Windows (CAVA)
[filelog|vcenter-sso]
directory=C:\ProgramData\VMware\CIS\logs\vmware-sso\
event_marker=\[\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
tags={"vmw_product":"sso"}
[filelog|vcenter-sso-sts]
directory=C:\ProgramData\VMware\CIS\runtime\VMwareSTS\logs
event_marker=\[\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
tags={"vmw_product":"sso"}
;;; Static vRA agent configuration
[filelog|vra-agent-vsphere]
directory=C:\Program Files (x86)\VMware\vCAC\Agents\vSphereAgent\logs\
event_marker=^\[\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
tags={"vmw_product":"vra","vmw_product_component":"agent"}
[filelog|vra-server]
directory=C:\Program Files (x86)\VMware\vCAC\Server\Logs\
include=*All.log;Repository.log
event_marker=^\[\w\w\w:\d{4}-\d{2}-\d{2}
tags={"vmw_product":"vra","vmw_product_component":"server"}
[filelog|vra-mm]
directory=C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Web\Logs\
include=*All.log;Repository.log
event_marker=^\[\w\w\w:\d{4}-\d{2}-\d{2}
tags={"vmw_product":"vra","vmw_product_component":"mm"}
[filelog|vra-web]
directory=C:\Program Files (x86)\VMware\vCAC\Server\Website\Logs\
include=*All.log;Repository.log
event_marker=^\[\w\w\w:\d{4}-\d{2}-\d{2}
tags={"vmw_product":"vra","vmw_product_component":"web"}
[filelog|vra-install]
directory=C:\Program Files (x86)\VMware\vCAC\InstallLogs\
event_marker=^\[\w\w\w:\d{4}-\d{2}-\d{2}
tags={"vmw_product":"vra","vmw_product_component":"install"}
  •  Dynamic – do NOT copy and paste the information below without changing anything with <brackets>. Note the below information depends on what you have configured in your environment. For example, if you installed 10 agents, you will need to add 10 agent configuration sections like the example below.

    Important: The use of the ingestion API with the Log Insight agent is highly recommended for the Linux components and required for the Windows component. Also, the use of asterisk (*) in the include directory is correct and should not be changed. The asterisk is a glob and means one or more characters. Using this over the entire filename is recommended as the filename may change over team (e.g. rebranding from vCloud to vRealize).

;;; Dynamic vRA agent configuration
;;; MANUAL CONFIGURATION CHANGES REQUIRED
;;; DO NOT JUST COPY AND PASTE THIS SECTION
;;; For every agent installed a new agent configuration section is required
;;; The name of the agent given during installation dictates the log directory name
[filelog|vra-agent-<AGENT_NAME>]
directory=C:\Program Files (x86)\VMware\vCAC\Agents\<AGENT_NAME>\logs\
event_marker=^\[\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
tags={"vmw_product":"vra","vmw_product_component":"agent"}
;;; A DEM name can be specified during installation
;;; The name of the DEM given during installation dictates the log directory name
;;; If no name is given the DEM name is: DEM
[filelog|vra-dem]
directory=C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\<DEM_NAME>\Logs\
include=*All.log;Repository.log
event_marker=^\[\w\w\w:\d{4}-\d{2}-\d{2}
tags={"vmw_product":"vra","vmw_product_component":"dem"}
;;; A DEO name can be specified during installation
;;; The name of the DEO given during installation dictates the log directory name
;;; If no name is given the DEO name is: DEO
[filelog|vra-deo]
directory=C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\<DEO_NAME>\Logs\
include=*All.log;Repository.log
event_marker=^\[\w\w\w:\d{4}-\d{2}-\d{2}
tags={"vmw_product":"vra","vmw_product_component":"deo"}

vRA VA + vRCS

Log Insight Linux Agent

Important: The use of the ingestion API with the Log Insight agent is highly recommended.

;;;
;;; Add to: /var/lib/loginsight-agent/liagent.ini
;;; If you are running an agent version OLDER than 2.5 you must restart the agent after making this change
;;;
;;; vRA + vRCS
[filelog|vra]
directory=/var/log/vmware/vcac
event_marker=^\d
tags={"vmw_product":"vra","vmw_product_component":"cafe"}
[filelog|apache]
directory=/var/log/apache2
tags={"asf_product":"http"}
[filelog|vrcs]
directory=/storage/artifactory/home/logs
event_marker=^\d
tags={"vmw_product":"vrcs","vmw_product_component":"jfrog"}

Rsyslog

#
# vRA log files
# Add to: /etc/rsyslog.d/remote.conf
# Replace <LOGINSIGHT> with Log Insight FQDN
# Run: /etc/init.d/syslog restart
#
$ModLoad imfile
# vRA
$InputFileName /var/log/vmware/vcac/catalina.out
$InputFileTag vcac:
$InputFileStateFile stat-vcac-catalina1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFileName /var/log/vco/app-server/catalina.out
$InputFileTag vco:
$InputFileStateFile stat-vco-catalina1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFileName /var/log/apache2/access_log
$InputFileTag apache:
$InputFileStateFile stat-apache2-access1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFileName /var/log/apache2/error_log
$InputFileTag apache:
$InputFileStateFile stat-apache2-error1
$InputFileSeverity error
$InputFileFacility local7
$InputRunFileMonitor
$InputFileName /var/log/apache2/ssl_request_log
$InputFileTag apache:
$InputFileStateFile stat-apache2-ssl1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
# vRCS
$InputFileName /storage/artifactory/home/logs/artifactory.log
$InputFileTag vrcs:
$InputFileStateFile stat-vrcs-artifactory
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFileName /storage/artifactory/home/logs/import.export.log
$InputFileTag vrcs:
$InputFileStateFile stat-vrcs-import-export
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFileName /storage/artifactory/home/logs/access_log
$InputFileTag vrcs:
$InputFileStateFile stat-vrcs-access1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFileName /storage/artifactory/home/logs/error_log
$InputFileTag vrcs:
$InputFileStateFile stat-vrcs-error1
$InputFileSeverity error
$InputFileFacility local7
$InputRunFileMonitor
# check for new lines every 10 seconds
$InputFilePollInterval 10
*.* @@<LOGINSIGHT>

vRA Windows

Important: For the Windows components, you must use the Log Insight agent and the ingestion API if you want the vRA content pack for Log Insight to work properly. If you do not use the Log Insight agent or if you do not use the ingestion API with the Log Insight agent then some of the queries in the vRA content pack will return no results. Also, whether you are running IAAS in an all-in-one or distributed model the below configuration can be used. Any log files that do not exist will be ignored.

Log Insight Windows Agent

The recommended way to collect logs from the vRA Windows components is using the Log Insight Windows agent. Unfortunately, the Windows part of vRA for remote log collection is a little tricky. Below you will find two configuration sections, the first is static configuration information that can be copied and pasted as-is. The second is dynamic configuration, which depends on what installed and what you named it. For the second configuration section, you will need to replace anything that looks like <THIS>.

  • Static
;;;
;;; Add to: C:\ProgramData\VMware\Log Insight Agent\liagent.ini
;;; Note that ProgramData is often hidden by default so you will need to show hidden folders
;;; If you are running an agent version OLDER than 2.5 you must restart the agent after making this change
;;;
;;; Static vRA agent configuration
;;; Important: You must use the ingestion API or the tags will not be sent
[filelog|vra-agent-vsphere]
directory=C:\Program Files (x86)\VMware\vCAC\Agents\vSphereAgent\logs\
event_marker=^\[\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
tags={"vmw_product":"vra","vmw_product_component":"agent"}
[filelog|vra-server]
directory=C:\Program Files (x86)\VMware\vCAC\Server\Logs\
include=*All.log;Repository.log
event_marker=^\[\w\w\w:\d{4}-\d{2}-\d{2}
tags={"vmw_product":"vra","vmw_product_component":"server"}
[filelog|vra-mm]
directory=C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Web\Logs\
include=*All.log;Repository.log
event_marker=^\[\w\w\w:\d{4}-\d{2}-\d{2}
tags={"vmw_product":"vra","vmw_product_component":"mm"}
[filelog|vra-web]
directory=C:\Program Files (x86)\VMware\vCAC\Server\Website\Logs\
include=*All.log;Repository.log
event_marker=^\[\w\w\w:\d{4}-\d{2}-\d{2}
tags={"vmw_product":"vra","vmw_product_component":"web"}
[filelog|vra-install]
directory=C:\Program Files (x86)\VMware\vCAC\InstallLogs\
include=*All.log;Repository.log
event_marker=^\[\w\w\w:\d{4}-\d{2}-\d{2}
tags={"vmw_product":"vra","vmw_product_component":"install"}
  •  Dynamic
;;; Dynamic vRA agent configuration
;;; MANUAL CONFIGURATION CHANGES REQUIRED
;;; DO NOT JUST COPY AND PASTE THIS SECTION
;;; For every agent installed a new agent configuration section is required
;;; The name of the agent given during installation dictates the log directory name
[filelog|vra-agent-<AGENT_NAME>]
directory=C:\Program Files (x86)\VMware\vCAC\Agents\<AGENT_NAME>\logs\
event_marker=^\[\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
tags={"vmw_product":"vra","vmw_product_component":"agent"}
;;; A DEM name can be specified during installation
;;; The name of the DEM given during installation dictates the log directory name
;;; If no name is given the DEM name is: DEM
[filelog|vra-dem]
directory=C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\<DEM_NAME>\Logs\
include=*All.log;Repository.log
event_marker=^\[\w\w\w:\d{4}-\d{2}-\d{2}
tags={"vmw_product":"vra","vmw_product_component":"dem"}
;;; A DEO name can be specified during installation
;;; The name of the DEO given during installation dictates the log directory name
;;; If no name is given the DEO name is: DEO
[filelog|vra-deo]
directory=C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\<DEO_NAME>\Logs\
include=*All.log;Repository.log
event_marker=^\[\w\w\w:\d{4}-\d{2}-\d{2}
tags={"vmw_product":"vra","vmw_product_component":"deo"}

SSO

Log Insight Windows Agent

Important: The use of the ingestion API with the Log Insight agent is highly recommended.

;;;
;;; Add to: C:\ProgramData\VMware\Log Insight Agent\liagent.ini
;;; Note that ProgramData is often hidden by default so you will need to show hidden folders
;;; If you are running an agent version OLDER than 2.5 you must restart the agent after making this change
;;;
;;; vCenter SSO Windows (CAVA)
[filelog|vcenter-sso]
directory=C:\ProgramData\VMware\CIS\logs\vmware-sso\
event_marker=\[\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
tags={"vmw_product":"sso"}
[filelog|vcenter-sso-sts]
directory=C:\ProgramData\VMware\CIS\runtime\VMwareSTS\logs
event_marker=\[\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
tags={"vmw_product":"sso"}

Log Insight Linux Agent

Important: The use of the ingestion API with the Log Insight agent is highly recommended.

;;;
;;; Add to: /var/lib/loginsight-agent/liagent.ini
;;; If you are running an agent version OLDER than 2.5 you must restart the agent after making this change
;;;
;;; vCenter SSO VCSA
[filelog|vmw-sso]
directory=/var/log/vmware/sso
exclude=vmware-*
event_marker=^(\[\d{4}-\d{2}-\d{2}|\d{2}-\w+-\d{4})
tags={"vmw_product":"sso"}
[filelog|vmw-sso-sts-idmd-perf]
directory=/var/log/vmware/sso
include=vmware-sts-idmd-perf*
event_marker=^\d{4}-\d{2}-\d{2}\s\S+\s\w+\s+\w+
tags={"vmw_product":"sso"}
[filelog|vmw-sso-sts-perf]
directory=/var/log/vmware/sso
include=vmware-identity-sts-perf*
event_marker=^\[\d{4}-\d{2}-\d{2}\s\S+\s\S+\s\S+\]\s+\w+
tags={"vmw_product":"sso"}
[filelog|vmw-sso-sts-other]
directory=/var/log/vmware/sso
include=vmware-sts-idmd.*;vmware-identity-sts.*
event_marker=^\[\d{4}-\d{2}-\d{2}\s\S+\s\S+\s\S+
tags={"vmw_product":"sso"}

Syslog-NG

#
# SSO log files
# Add to: /etc/syslog-ng/syslog-ng.conf
# Replace <LOGINSIGHT> with Log Insight FQDN
# Run: /etc/init.d/syslog restart
#
source sso {
file("/var/log/vmware/sso/catalina.out" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/ssoAdminServer.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-identity-sts-perf.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-identity-sts.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-sts-idmd-perf.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-sts-idmd.err" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-sts-idmd.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
};
destination logserver { tcp("<LOGINSIGHT>" port (514)); };
log { source(sso); destination(logserver); };
log { source(src); destination(logserver); };

VRO

vRO is the one component where using an agent is not recommended. Instead, one should edit the log4j configuration to enable remote syslog. This requires two changes within /etc/vco/app-server/log4j.xml (note vRO may also be installed on the vRA VA so be sure to configure it there as well if applicable):

  1. Replace <LOGINSIGHT>
     <appender name="SYSLOG" class="org.apache.log4j.net.SyslogAppender">
            <param name="Threshold" value="INFO"/>
            <param name="Facility" value="LOCAL1"/>
            <param name="SyslogHost" value="<LOGINSIGHT>"/>
            <param name="FacilityPrinting" value="false"/>
            <layout class="org.apache.log4j.PatternLayout">
              <param name="ConversionPattern" value="vco: prio:%-5p thread:%t token:%X{token} wf:%X{workflowName} wfid:%X{workflow} user: %X{username} cat:%c{1} msg:%m%n"/>
            </layout>
        </appender>
    
  2. Change:
    <root>
            <priority value="INFO" />
            <appender-ref ref="CONSOLE" />
            <appender-ref ref="FILE" />
            <!--
            <appender-ref ref="SYSLOG" />
            -->
            <!--
            <appender-ref ref="EVENT_LOG" />
            -->
        </root>
    

    To:

    <root>
            <priority value="INFO" />
            <appender-ref ref="CONSOLE" />
            <appender-ref ref="FILE" />
            <appender-ref ref="SYSLOG" />
            <!--
            <appender-ref ref="EVENT_LOG" />
            -->
        </root>

Finally, restart VRO: /etc/init.d/vco-server restart

APPD

Log Insight Linux Agent

Important: The use of the ingestion API with the Log Insight agent is highly recommended.

;;;
;;; Add to: /var/lib/loginsight-agent/liagent.ini
;;; If you are running an agent version OLDER than 2.5 you must restart the agent after making this change
;;;
;;; vRA APPD
[filelog|vra-appd]
directory=/home/darwin/tcserver/darwin/logs
event_marker=^\w+\s\d{2}\s\d{4}\s\S+\s\w+\s+[\S+]
tags={"vmw_product":"vra","vmw_product_component":"appd","appname":"appd: "}

Syslog-NG

#
# APPD log files
# Add to: /etc/syslog-ng/syslog-ng.conf
# Replace <LOGINSIGHT> with Log Insight FQDN
# Run: /etc/init.d/syslog restart
#
source appd {
file("/home/darwin/tcserver/darwin/logs/catalina.out" follow_freq(1) flags(no-parse) log_prefix("appd: "));
};
destination logserver { tcp("<LOGINSIGHT>" port (514)); };
log { source(appd); destination(logserver); };
log { source(src); destination(logserver); };

VRB

Log Insight Linux Agent

Important: The use of the ingestion API with the Log Insight agent is highly recommended.

;;;
;;; Add to: /var/lib/loginsight-agent/liagent.ini
;;; If you are running an agent version OLDER than 2.5 you must restart the agent after making this change
;;;
;;; VRB
[filelog|vra-vrb-server]
directory=/var/log/itbm-server
event_marker=^\d
tags={"vmw_product":"vrb","vmw_product_component":"server"}
[filelog|vra-vrb-data-collector]
directory=/var/log/itbm-data-collector
event_marker=^\d
tags={"vmw_product":"vrb","vmw_product_component":"data-collector"}

Syslog-NG

#
# ITBM log files
# Add to: /etc/syslog-ng/syslog-ng.conf
# Replace <LOGINSIGHT> with Log Insight FQDN
# Run: /etc/init.d/syslog restart
#
source itbm {
file("/usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/catalina.out" follow_freq(1) log_prefix("itbm: ") flags(no-parse));
file("/usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/auditFile.log" follow_freq(1) log_prefix("itbm: ") flags(no-parse));
file("/usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm-external-api.log" follow_freq(1) log_prefix("itbm: ") flags(no-parse));
file("/usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm-reflib-update.log" follow_freq(1) log_prefix("itbm: ") flags(no-parse));
file("/usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm-vc-dc.log" follow_freq(1) log_prefix("itbm: ") flags(no-parse));
file("/usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm.log" follow_freq(1) log_prefix("itbm: ") flags(no-parse));
};
destination logserver { tcp("<LOGINSIGHT>" port (514)); };
log { source(itbm); destination(logserver); };
log { source(src); destination(logserver); };

VCS

Log Insight Linux Agent

Important: The use of the ingestion API with the Log Insight agent is highly recommended.

;;;
;;; Add to: /var/lib/loginsight-agent/liagent.ini
;;; If you are running an agent version OLDER than 2.5 you must restart the agent after making this change
;;;
;;; vCenter Server VCSA
[filelog|vmw-vc-vpx]
directory=/var/log/vmware/vpx
include=vpxd.log;vws.log;vmware-vpxd.log
event_marker=^(\[)?\d{4}-\d{2}-\d{2}(T| )\d{2}:\d{2}:\d{2}
tags={"vmw_product":"vcenter"}
[filelog|vmw-vc-vpx-ds]
directory=/var/log/vmware/vpx/inventoryservice
include=ds.log
event_marker=^(\[)?\d{4}-\d{2}-\d{2}(T| )\d{2}:\d{2}:\d{2}
tags={"vmw_product":"vcenter"}
[filelog|vmw-vc-client]
directory=/var/log/vmware/vsphere-client/logs
include=vsphere_client_virgo.log
event_marker=^(\[)?\d{4}-\d{2}-\d{2}(T| )\d{2}:\d{2}:\d{2}
tags={"vmw_product":"vcenter"}
[filelog|vmw-vc-client-wrapper]
directory=/var/log/vmware/vsphere-client/Logs
include=wrapper.log
tags={"vmw_product":"vcenter"}

Syslog-NG

#
# VCS log files
# Add to: /etc/syslog-ng/syslog-ng.conf
# Replace <LOGINSIGHT> with Log Insight FQDN
# Run: /etc/init.d/syslog restart
#
source vcs {
file("/var/log/vmware/vpx/vpxd.log" follow_freq(1) flags(no-parse) log_prefix("vcenter-server: "));
file("/var/log/vmware/vpx/vws.log" follow_freq(1) flags(no-parse) log_prefix("vcenter-server: "));
file("/var/log/vmware/vpx/vmware-vpxd.log" follow_freq(1) flags(no-parse) log_prefix("vcenter-server: "));
file("/var/log/vmware/vpx/inventoryservice/ds.log" follow_freq(1) flags(no-parse) log_prefix("vcenter-server: "));
file("/var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log" follow_freq(1) flags(no-parse) log_prefix("vcenter-server: "));
file("/var/log/vmware/sso/ssoAdminServer.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-identity-sts.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-sts-idmd-perf.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-sts-idmd.err" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-sts-idmd.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
};
destination logserver { tcp("<LOGINSIGHT>" port (514)); };
log { source(vcs); destination(logserver); };
log { source(src); destination(logserver); };

© 2015, Steve Flanders. All rights reserved.

Published inVMware

6 Comments

  1. Dan Y Dan Y

    Steve, you feel this still applies well to 6.1 or 6.2 of vRA? The current content pack points to 6.0 and I’m seeing some discrepancies on the queries on the dashboard.

    • Hey Dan – the information in this post is for vRA 6.1 or newer including 6.2. The LI content pack today only supports vRA (vCAC) 6.0. Stay tuned for an updated content pack!

  2. Ben Ben

    Hello,
    For vRO, I think the default seemed to be that the facility isn’t set either, so as well as replacing you also need to set on the line above it.
    Also, it didn’t seem that a restart of vRO was required, it just seemed to kick into life! Thanks for the guide.

    • Good call on the facility though note the vRA content pack does not require the facility to work properly. Thanks for the comment!

  3. Venkat Venkat

    Steve,
    Excellent article, thanks for your time and efforts for detailed write-up. Is there any possibility to get the samples configs ? Some of the screenshots are chopped out in the screenshots.

    • Hey Venkat — Thanks for the comment. The vRA content pack in LI includes the agent group configurations, I would recommend using that. If you are looking for the non-liagent configuration, you should see button in the code blocks on the blog post that can be used to see the cut off content. I hope this helps.

Leave a Reply

Your email address will not be published. Required fields are marked *